{"id":264724,"date":"2026-06-05T01:34:00","date_gmt":"2026-06-05T05:34:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/pcpjack-hijacks-230-aws-google-cloud-and-azure-servers-for-covert-smtp-relay-network\/"},"modified":"2026-06-05T06:10:15","modified_gmt":"2026-06-05T10:10:15","slug":"pcpjack-hijacks-230-aws-google-cloud-and-azure-servers-for-covert-smtp-relay-network","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/05\/pcpjack-hijacks-230-aws-google-cloud-and-azure-servers-for-covert-smtp-relay-network\/","title":{"rendered":"PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network"},"content":{"rendered":"

PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/06\/pcpjack-hijacks-230-aws-google-cloud.html<\/a><\/p>\n

Publish Date: 2026-06-05 01:34:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Jun 05, 2026<\/span><\/span>Threat Intelligence \/ Cloud Security<\/span><\/p>\n

The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network.<\/p>\n

“Compromised business servers across the U.S., Europe, and Asia were quietly converted into SMTP proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes,” Hunt.io said in a statement. “The infrastructure was still running when we found it.”<\/p>\n

The threat intelligence company said it found source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration after the threat actor behind the operation left two open directories on a command-and-control (C2) server (“213.136.80[.]73”) without any authentication.<\/p>\n

PCPJack was first discovered by SentinelOne in April 2026 after it identified a credential theft framework that specifically targets cloud services, while taking steps to terminate and remove processes or artifacts associated with TeamPCP, another notorious hacking group that has attracted attention in recent months for its software supply chain attacks.<\/p>\n

Staged in one of the open directories Sliver-integrated SMTP proxy deployment toolkit, along with Chisel tunneling and proxy binaries for most Linux CPU architectures, such as AMD64, ARM64, and x86. On the victim side, the binary is dropped as a hidden dot-prefixed file and persisted at “\/var\/tmp\/.xs.”<\/p>\n

Also found in the directories are deployer scripts designed to load the Sliver C2 client configuration and filter for Linux beacons that have checked in within the last ten minutes. Beacons are implants that periodically phone home to the C2 server at regular intervals to check in and retrieve commands.<\/p>\n

\"\"<\/p>\n

“Each beacon receives a SOCKS5 proxy port derived deterministically from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999,” Hunt.io noted….<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network https:\/\/thehackernews.com\/2026\/06\/pcpjack-hijacks-230-aws-google-cloud.html…<\/p>\n","protected":false},"author":1,"featured_media":264727,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEibu0mX9Tusu3siXFJzPskfA1ZYZ2OdRJTegsJFkffBc9cBBPGWguTUAI3PPAaFy-WIjziA9PIrMrZNVuFVNmbFhOSPLv6mMBPvjWnR-WQGBD2fvGFTJT358yWFFTxeFSS87aQ_fj30G2VdsGlBjy2KJiby4CS-k3X9FjjpyTGxljOo373cUaZKhdBvWZ_a\/s1600\/cloud-emails.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[34],"class_list":["post-264724","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264724"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=264724"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264724\/revisions"}],"predecessor-version":[{"id":264729,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264724\/revisions\/264729"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/264727"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=264724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=264724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=264724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}